At SchellmanCON 2025, SafeBase CISO Lisa Hall sat down with Mike Britton, CIO at Abnormal Security, to discuss the biggest challenges facing security teams today — and how the best teams are solving them.

Their conversation covered what’s slowing teams down, where AI can actually help, and how security can stop being seen as the department of “no” and start acting as a strategic business partner.

Right now, most teams are stretched thin. Threats are getting more sophisticated. Expectations are growing. And frameworks keep piling up.

Did you know?: 

  • 69% of companies say they’re not fully confident in their cybersecurity posture (PwC)
  • 57% of organizations experienced a major data breach in the past year (Accenture, 2024)
  • Companies are managing an average of 8 compliance frameworks — and expect to add 6 more this year (Wakefield Research)

It’s a lot. And the question most security leaders face isn’t just “how do we stop threats?” It’s “how do we prove our impact, build trust, and support the business — without burning out our team?”

The conversation between Lisa and Mike covered many things:

  • Why old problems are still the real blockers
  • Where AI can actually help (and where it’s overhyped)
  • How to approach the build vs. buy question
  • Why compliance isn’t the right starting point
  • What real security culture looks like — and how to build it
  • What the best teams are doing to lead, not just react

Let’s dig into what Mike and Lisa covered.

Watch the entire conversation here.

Focus on the Problems That Actually Slow You Down

“The threat landscape always evolves, but it’s the old things that still haunt us.” --Mike Britton 

There’s a constant buzz about new threats. But most security teams are still dealing with the same blockers that have been around for years.

  • Talent is hard to find — and harder to keep
  • Engineers waste hours on repetitive tasks
  • Email remains the most common attack vector
  • And teams spend too much time proving they’re “secure” instead of actually securing things

These aren’t headline-grabbing challenges, but they’re the ones that drain capacity. They pull smart people away from high-impact work and bury teams in maintenance mode. That’s what really slows down security — as well as business growth metrics. 

AI Should Free Up Your Best People

Yes, attackers are using AI to get smarter. But defenders can use it too — and they should.

The real opportunity with AI isn’t just in detection. It’s in reclaiming time. When teams are drowning in risk questionnaires, evidence gathering, policy reviews, and framework mapping, AI can step in and handle the busywork. SafeBase and Abnormal shared some of the ways their teams are leveraging AI to amplify the team’s impact.

A few avenues included:

  • Automating responses to inbound customer questionnaires
  • Automating compliance processes and documentation for audits
  • Using AI to summarize large logs or event data
  • Generating draft policies or security updates

Britton shared that his team has been able to build more resilient programs by protecting their team’s time. What’s more — the more high-value work your team gets to do, the more likely they are to stay at the organzation—and contribute meaningfully.

Don’t Build What You Can Buy

Britton and Hall came back to this central question they each have worked through with their teams — what should we build ourselves, and what should we buy?

In reviewing the current landscape and top priorities, they agreed that most problems don’t require a custom solution. Especially not with the pace of change today. Buying gives you:

  • Faster implementation
  • More features out of the box
  • Shared learning from a larger customer base
  • A team that owns R&D and updates

But that doesn’t mean you should never build. Build when it gives you strategic flexibility. When the use case is core to your product, your customers, or your internal workflows. And when you know you have the people to maintain it long term. 

Security First. Compliance Will Follow.

“Lead with security. Lead with good risk management. The compliance will follow.” --Mike Britton

Compliance doesn’t equal security. And leading with frameworks can lead teams down the wrong path. Compliance is important because it creates accountability. It helps prove that what you say you're doing, you're actually doing. But if security decisions are driven by checkboxes, the program loses credibility and depth.

Good security:

  • focuses on real risks
  • aligns with business goals
  • collects useful evidence
  • builds a culture of responsibility

When those things are in place, compliance comes naturally. But when compliance leads, you get policies no one reads and controls no one believes in.

Security Culture Requires More Than Just a Policy. 

“Most people want to be seen as good corporate citizens. They love to call out their friends. We just leaned into that.” --Mike Britton

Most security leaders say they want to “build a culture of security.” The problem is, culture isn’t a slide deck. It’s how people behave when no one’s watching.

Strong security cultures start with leadership modeling the expectations. If leadership cuts corners or asks for exceptions, employees notice. Culture also spreads peer to peer. Teams watch each other. Light gamification, leaderboards, or internal nudges can shift behavior more effectively than annual trainings.

Some ideas Britton and Hall shared in their discussion:

  • Recognize teams for patching on time
  • Make secure habits part of performance reviews
  • Turn best practices into shared norms, not top-down mandates

Security becomes part of the culture when it’s seen as part of the job — not something separate that gets in the way.

What the Best Teams Are Doing Right Now

High-performing security teams stay close to business goals. They understand what drives revenue, where the risks are, and how to move fast without creating drag. They focus on trust, clarity, and execution.

"Understand what your business does, where it needs to go, and what they need to do to achieve objectives. Focus on security. How do I manage risk? How do I be secure? If you’re doing those things well, compliance will follow." — Mike Britton

Here’s how high performing teams are thinking about security:

  • They know the business model and what their customers care about
  • They focus on the risks that actually matter
  • They use AI to reduce friction and scale their impact
  • They show clear evidence — not just claims — of their program’s effectiveness
  • They collaborate across teams to support progress, not block it

This approach turns security into a strategic function. It helps the business move faster, make smarter decisions, and build lasting trust — with customers and internal teams. The teams that stand out won’t be the ones doing the most — they’ll be the ones doing the right things, at the right time — with purpose.

Final Thoughts

Lisa Hall and Mike Britton made one thing clear in their conversation: strong security teams stay focused. They reduce friction, protect their team’s time, and stay tightly aligned with the business.

SafeBase plays a key role in that work — automating questionnaires, supporting trust, and helping teams operate with less drag.

Security doesn’t scale through effort alone. It scales through clarity, smart tools, and leadership that knows where to focus.

“It goes back to the Trust Center — showing our customers and being able to demonstrate that we’re doing the right thing. People don’t just want to hear it. They want to see it.” --Lisa Hall, SafeBase CISO